AMENDMENTS TO THE CLAIMS 

1 . (Currently Amended) A method comprising: 

receivin g, by an Internet host, notification of a distributed denial of servic e (DDoS) attack: 
establishing security authentication feem -with an upstream router from which attack traffic, 
transmitted by one or more attack host computers, is received; and 

once security authentication is established, transmitting one or more filters to the upstream 
router such that attack traffic is dropped by the upstream router , th e r e by t e rminatin g to terminate the 
distributed denial of s e rvic e D DoS attack , wherein the upstream router includes a preprogrammed 
DDoS squelch time to live value to define an expiration time for the one or more filters . 

2. (Currently Amended) The method of claim 1, wherein detecting th e attack 
teffie receiving notification of the DDoS attack further comprises: 

monitoring network traffic received by an Internet host; and 

when a distributed denial of service attack is detected, notifying the Internet host of the 
distributed denial of service attack. 

3. (Currently Amended) The method of claim 1, wherein establishing security 
authentication further comprises: 

transmitting a security authentication request to the upstream router including authentication 
information, the authorization a uthentication information including a destination address of the 
attack traffic; and 

receiving authorization for establishment of security authentication from the upstream 

router. 

4. (Currently Amended) The method of claim 1, wherein the transmitting the one or 
more filters further comprises: 

identifying attack traffic characteristics of the attack traffic received by an Internet host; 

generating one or more filters based on the identified attack traffic characteristics, such that 
the one or more filters direct the upstream router to drop network traffic matching the attack traffic 
characteristics; 

digitally signing the one or more filters using a digital certificate signature of the Internet 
host; and 

transmitting the one or more digitally signed filters to the upstream router includes a digital 
certificate or the Internet host . 
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5. (Currently Amended) A method comprising: 

establishing security authentication of an Internet host under a distributed denial of service 
(DDoS) attack; 

receiving one or more filters from the Internet host; 

when security authentication is established, verifying that the one or more filters select only 
network traffic directed to the Internet host; and 

once verified, generating a filter expiration time for each filter based on a preprogrammed 
DDoS squelch time to live value, such that the filters are uninstalled once the expiration time 
expires: 

installing the one or more filters such that network traffic matching the one or more filters is 
prevented from reaching the Internet host. 

6. (Original) The method of claim 5, wherein establishing security authentication 
further comprises: 

receiving a request for security authentication including authentication information from the 
Internet host; 

selecting the authentication information from the security authentication request; and 
authenticating an identity of the Internet host based on the selected authentication 
information. 

7. (Currently Amended) The method of claim 5, wherein the receiving the one or more 
filters further comprises: 

authenticating a source of the one or more filters received as the Internet host; 

once authenticated, verifying that a router administrator has sef-programmed a DDoS 
squelch time to live value for received filters; 

once verifi e d, generating a filter expiration tim e for each filt e r based on the time to liv e value, 
such that th e filters ar e uninstall e d once th e expiration time e xpir e s; 

once verified, verifying that an action component of each of the filters is drop; and 

otherwise, disregarding the one or more filters received from the Internet host. 

8. (Original) The method of claim 5, wherein verifying the one or more filters further 
comprises: 

selecting a destination address component for each of the one or more filters received from 
the Internet host; 

comparing the selected destination address components against an address of the Internet 

host; 

verifying that the selected destination addresses matches the Internet host address; and 
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otherwise, disregarding the one or more filters received from the Internet host. 

9. (Original) The method of claim 5, wherein installing the one or more filters further 
comprises: 

selecting network traffic matching one or more of the filters received from the Internet host; 

and 

dropping the selected network traffic such that attack traffic received from one or more 
attack host computers by the Internet host is eliminated in order to terminate the distributed denial 
of service attack. 

10. (Original) The method of claim 5, further comprising: 

determining, by an upstream router receiving the one or more filters from the Internet host, 
one or more ports from which the attack traffic matching the one or more filters is being received 
based on a routing table; 

selecting a port from the one or more determined ports; 

determining an upstream router connected to the selected port based on a routing table; 
securely forwarding the one or more filters received from the Internet host to the detected 
upstream router as a routing protocol update; and 

repeating the selecting, determining and utilizing for each of the one or more determined 

ports. 

1 1 . (Currently Amended) A method comprising: 
receiving a routing protocol update from a downstream router; 

selecting one or more filters from the routing protocol update received from the downstream 

router; 

establishing security authentication of the downstream router; 

once authentication is established, verifying that the one or more filters select only network 
traffic directed to the downstream router; and 

once verified, generating a filter expiration time for each filter based on a preprogrammed 
DDoS squelch time to live value, such that the filters are uninstalled once the expiration time 
expires: and 

installing the one or more filters such that attack traffic matching the one or more filters is 
prevented from reaching the downstream router. 

12. (Currently Amended) The method of claim 11, wherein establishing security 
authentication of the downstream router further comprises: 
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selecting authentication information from the routing protocol update received from the 
downstream router; 

once selected, authenticating an identity of the downstream router based on the 
authentication information; 

authenticating a source of the one or more filters as the downstream router; 

once authenticated, verifying that a router administrator has de programmed a DDoS 
squelch time to live value for received filters; 

once verified, g e nerating a filter e xpiration tim e for each filter bas e d on the time to live value, 
such that th e filt e rs ar e uninstall e d once th e e xpiration time e xpires; 

once verified, verifying that an action component of each of the filters is drop; and 

otherwise, disregarding the one or more filters received from the downstream router. 

13. (Currently Amended) The method of claim 11, wherein verifying the one or more 
filters further comprises: 

selecting a destination address component for each of the one or more filters; 

comparing the selected destination address component against an addr e ss of the 
downstream route ra routing table : 

verifying that the sel e ct e d destination addr e ss match e s t he downstream router addr e ssi s a 
next hop router according to the routing table : and 

otherwise, disregarding the one or more filters received from the downstream router. 

14. (Original) The method of claim 1 1 , further comprises: 

determining, by an upstream router receiving the one or more filters from the downstream 
router, one or more ports from which attack traffic matching the one or more received filters is 
being received; 

selecting a port from the one or more determined ports; 

determining an upstream router coupled to the selected port based on a routing table; 
securely forwarding the one or more received filters to the determined upstream router as a 
routing protocol update; and 

repeating the selecting, determining, and forwarding for each of the one or more determined 

ports. 

15. (Currently Amended) A-An article of manufacture, comprising a machine readable 
storage medium including program instructions that dir e ct a syst e m to function in a sp e cific manner 
when e xecut e d by a processor, the program instructions h aving associated data wherein the data, 
when accessed, results in a machine to perform operations, comprising: 

receivin g, by an Internet host, notification of a distributed denial of servic e (DDoS) attack: 
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establishing security authentication frem-with an upstream router from which attack traffic, 
transmitted by one or more attack host computers, is received; and 

once security authentication is established, transmitting one or more filters to the upstream 
router such that attack traffic is dropped by the upstream router , thereby terminating the distributed 
denial of service t o terminate the DDoS attack , wherein the upstream router includes a predetermined 
DDoS squelch time to live value to define an expiration time for the one or more filters . 

16. (Currently Amended) The machin e r e adable storage medium article of manufacture 
of claim 15, wherein the instruction of detecting the attack traffi c causes the machine to perform 
further comprises operations, comprising : 

monitoring network traffic received by an Internet host; and 

when a distributed denial of service attack is detected, notifying the Internet host of the 
distributed denial of service attack. 

17. (Currently Amended) The machin e r e adabl e storag e m e dium article of manufacture 
of claim 15, wherein establishing security authenticatio n causes the machine to perform further 
compri s es operations, comprising : 

transmitting a security authentication request to the upstream router including authentication 
information, the authorization information including a destination address of the attack traffic; and 
receiving authorization for establishment of security authentication from the upstream 

router. 

18. (Currently Amended) The machin e r e adable storag e medium article of manufacture 
of claim 15, wherein transmitting the one or more filter s causes the machine to perform further 
comprises operations. comprising : 

identifying attack traffic characteristics of the attack traffic received by an Internet host; 

generating one or more filters based on the identified attack traffic characteristics, such that 
the one or more filters direct the upstream router to drop network traffic matching the attack traffic 
characteristics; 

digitally signing the one or more filters using a digital certificat e s ignature of the Internet 
host; and 

transmitting the one or more digitally signed filters to the upstream router. 

19. (Currently Amended) A-An article of manufacture, comprising a machine readable 
storage medium including program instructions that direct a system to function in a sp e cific mann e r 
wh e n e x e cut e d by a proc e ssor, the program instructions h aving associated data, wherein the data, 
when accessed, results in a machine to perform operations, comprising: 
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establishing a security authentication of a downstream device; 

once security authentication is established, verifying that one or more filters from the 
downstream device select only network traffic directed to the downstream device; and 

once verified, generating a filter expiration time for each filter based on a preprogrammed 
DDoS squelch time to live value, such that the filters are uninstalled once the expiration time 
expires; and 

installing the one or more filters such that network traffic matching the one or more filters is 
prevented from reaching the downstream device. 

20. (Currently Amended) The a machine readabl e storage medium a rticle of 
manufacture of claim 19, wherein establishing security authenticatio n causes the machine to 
perform further comprises operations, comprising : 

receiving a routing protocol update from the downstream device; 
selecting authentication information from the received routing protocol update; 
authenticating an identity of the downstream device based on the selected authentication 
information; 

once authenticated, selecting the one or more filters from the received routing protocol 
update ; and 

authenticating integrity of the one or more filters based on a digital signature of the filters. 

21. (Currently Amended) The machin e r e adable storage medium article of manufacture 
of claim 19, wherein verifying the one or more filter s causes the machine to perform further 
comprises operations, comprising : 

authenticating a source of the one or more filters received as the downstream device; 

once authenticated, verifying that a router administrator has set a DDoS squelch time to live 
value for received filters; 

onc e v e rified, g e nerating a filter expiration time for e ach filt e r based on the time to liv e , such 
that the filters are uninstall e d onc e the expiration tim e expires; 

once verified, verifying that an action component of each of the filters is drop; and 

otherwise, disregarding the one or more filters received from the Intern e t hos t downstream 

device . 

22. (Currently Amended) The machin e r e adable storage m e dium a rticle of manufacture 
of claim 19, wherein verifying the one or more filter s causes the machine to perform further 
comprises operations, comprising : 
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selecting a destination address component for each of the one or more filters received from 
the downstream device; 

comparing the destination address components against an address of the downstream 

device; 

verifying that the selected destination addresses matches the downstream device address; 

and 

otherwise, disregarding the one or more filters received from the downstream device. 

23. (Currently Amended) The machine readable storag e mediu ma rticle of manufacture 
of claim 19, wherein establishing security authenticatio n causes the machine to perform further 
compris e s operations, comprising : 

receiving a request for security authentication including authentication information from the 
downstream device; 

selecting the authentication information from the security authentication request; and 
authenticating an identity of the downstream device based on the selected authentication 
information. 

24. (Currendy Amended) The machin e readabl e storage medium a rticle of manufacture 
of claim 19, wherein installing the one or more filter s causes the machine to perform further 
compris e s operations, comprising : 

selecting network traffic matching one or more of the filters received from the downstream 
device; and 

dropping the selected network traffic such that attack traffic received from one or more 
attack host computers by the downstream device is eliminated in order to terminate a distributed 
denial of service attack. 

25. (Currently Amended) The machine readable storag e medium article of manufacture 
of claim 19, wherein further the machine readable storage medium further includes data, that when 
accessed, causes the machine to perform further operations, comprising: 

determining, by an upstream router receiving the one or more filters from the downstream 
router, one or more ports from which attack traffic matching the one or more received filters is 
being received; 

selecting a port from the one or more determined ports; 

determining an upstream router coupled to the selected port based on a routing table; 
securely forwarding the one or more received filters to the determined upstream router as a 
routing protocol update; and 
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repeating the selecting, determining, and forwarding for each of the one or more determined 

parts. 

26. (Currently Amended) An apparatus, comprising: 
a processor having circuitry to execute instructions; 

a control plane interface coupled to the processor, the control plane interface to packet 
processing fitefs filters , and to authenticate a source of the packet processing filters; a dand 

a storage device coupled to the processor, having sequences of instructions stored therein, 
which when executed by the processor cause the processor to: 

establish a security authentication of a downstream device^ 
once security authentication is established, verify that one or more filters from the 
downstream device select only network traffic directed to the downstream device^and., 

once verified, generate a filter expiration time for each filter based on a preprogrammed 
DDoS squelch time to live value, such that the filters are uninstalled once the expiration time 
expires: and 

install the one or more filters such that network traffic matching the one or more filters is 
prevented from reaching the downstream device. [[.]] 

27. (Currently Amended) The apparatus of claim 26, wherein the instruction to 
establish security authentication further causes the processor to: 

receive a routing protocol update from the downstream device; 
select authentication information the received from routing protocol update; 
authenticate an identity of the downstream device based on the selected authentication 
information; 

once authenticated, select the one or more filters from the received routing protocol update : 

and 

authenticate integrity of the one or more filters based on a digital signature of the filters. 

28. (Currently Amended) The apparatus of claim 26, wherein the instruction to receive 
the one or more filters further causes the processor to: 

authenticate a source of the one or more filters received as the downstream device; 

once authenticated, verify that a router administrator has sef programmed a DDoS squelch 
time to live value for received filters; 

onc e verifi e d, gen e rate a filt e r e xpiration tim e for each filter based on th e tim e to liv e , such 
that the filters are uninstalled onc e th e expiration time expir e s; 

once verified, verify that an action component of each of the filters is drop; and 
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otherwise, disregard the one or more filters received from the Internet hos t downstream 

device . 

29. (Currently Amended) The apparatus of claim 26, wherein the instruction to verify 
the one or more filters further causes the processor to: 

select a destination address component for each of the one or more filters received from the 
downstream device, 

compare the destination address components against an address of the downstream 
devie erouting table, 

verify the s e l e ct e d d e stination addresse s matches the Intern e t host address t hat the 
downstream device is a next hop router according to the routing table , and 

otherwise, disregard the one or more filters received from the downstream device 

30. (Original) The apparatus of claim 26, wherein instruction to install the one or more 
filters further causes the processor to: 

select network traffic matching one or more of the filters received from the downstream 
device, and 

drop the selected network traffic such that attack traffic received from one or more host 
attack computers by the downstream device is eliminated in order to terminate a distributed denial of 
service attack. 

31 . (Original) The apparatus of claim 26, wherein the processor is further caused to: 
determine, by a router receiving the one or more filters from the downstream device, one or 

more ports from which the attack traffic matching the one or more filters is being received based on 
a routing table, 

determine one or more upstream routers connected to the determined ports, 
establish a secure connection with each of the one or more upstream routers, and 
forward the one or more filters received from the downstream device to the one or more 
upstream routers. 

32. (Original) The apparatus of claim 26, wherein the instruction to establish security 
authentication further causes the processor to: 

receiving a request for security authentication including authentication information from the 
downstream device; 

decrypting the received authentication information; 

selecting the authentication information from the security authentication request; and 
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authenticating an identity of the downstream device based on the selected authentication 
information. 

33. (Currently Amended) A system comprising: 
an Internet host; 

a wide area network; and 

a router coupled between the Internet host and the wide area network, the router having: 
a processor having circuitry to execute instructions; 

a control plane interface coupled to the processor, the control plane interface to receive 
packet processing filers, and to authenticate a source of the packet processing filters; and 

a storage device coupled to the processor, having sequences of instructions stored therein, 
which when executed by the processor cause the processor to: 

establish security authentication of an Internet host under a distributed denial of 
service (DDoS) attack; 

receive one or more filters from the Internet host; 

when security authentication is established, verify that the one or more filters select 
only network traffic directed to the Internet host; and 

once verified, generate a filter expiration time for each filter based on a preprogrammed 
DDoS squelch time to live value, such that the filters are uninstalled once the expiration time 
expires: and 

install the one or more filters such that network traffic matching the one or more filters is 
prevented from reaching the Internet host. 

34. (Original) The system of claim 33, 

wherein the Internet host receives notification of a distributed denial of service attack, 
establishes security authentication from an upstream router from which the attack traffic, transmitted 
by one or more attack host computers, is received, and transmits one or more filters to the upstream 
router such that attack traffic is dropped by the upstream router, thereby terminating the distributed 
denial of service attack. 

35. (Original) The system of claim 33, wherein the processor is further caused to: 
determine, by a router receiving the one or more filters from a downstream device, one or 

more ports from which the attack traffic matching the one or more filters is being received based on 
a routing table, 

determine one or more upstream routers connected to the determined ports, and 
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securely forward the one or more filters received from the downstream device to the one or 
more upstream routers as a routing protocol update. 
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